Upload
prem
View
60
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Practical Forward Secure Signatures using Minimal Security Assumptions. PhD Defense Andreas Hülsing. Digital Signatures are Important !. E-Commerce. … and many others. Software updates. Forward Secure Signatures [And97]. Forward Secure Signatures. pk. classical. sk. pk. forward sec. - PowerPoint PPT Presentation
Citation preview
23.09.2013 | TU Darmstadt | Andreas Hülsing | 1
Practical Forward Secure Signatures using Minimal Security Assumptions
PhD DefenseAndreas Hülsing
Digital Signatures are Important!
Software updates
E-Commerce
… and many others
23.09.2013 | TU Darmstadt | Andreas Hülsing | 2
Forward Secure Signatures[And97]
23.09.2013 | TU Darmstadt | Andreas Hülsing | 3
Forward Secure Signatures
time
classicalpk
sk
Key gen.
forward secpk
sksk1 sk2 ski skT
t1 t2 ti tT
ijjSigGoal ),,(:
23.09.2013 | TU Darmstadt | Andreas Hülsing | 4
What if…
23.09.2013 | TU Darmstadt | Andreas Hülsing | 5
Post-Quantum Signatures
Lattice, MQ, Coding
Signature and/or key sizes
Runtimes
Secure parameters
no forward secure signatures
...1
3
14232232
34121211
yxxxxxxy
xxxxxxy
23.09.2013 | TU Darmstadt | Andreas Hülsing | 6
Hash-based Signature Schemes[Mer89]
Post quantum
Only secure hash function
Security well understood
Fast
Forward secure (inefficient)23.09.2013 | TU Darmstadt | Andreas Hülsing | 7
Cryptographic Hash Functions
H
{0,1}m
{0,1}n
}}1,0{|}1,0{}1,0{:{ 'nnmKn KH Η
•Cryptomania•AC O(2n/2)Collision Resistance
(CR)
•Minicrypt•AC O(2n)Second-preimage
Resistance (SPR)
•Minicrypt•AC O(2n)
One-wayness
•Minicrypt•AC O(2n)
Undetectability (UD)
•Minicrypt•AC O(2n)Pseudorandomness
(PRF)
23.09.2013 | TU Darmstadt | Andreas Hülsing | 8
Hash-based Signatures
OTS
OTS OTS OTS OTS OTS OTS OTS
HH H H H H H H
H H H H
H H
H
PK
SIG = (i=2, , , , , )
23.09.2013 | TU Darmstadt | Andreas Hülsing | 9
OTSSK
Challenges & Achievements
Minimal security assumptions XOR Efficient
Forward secure XOR Efficient
Large signatures
No full smartcard implementation
23.09.2013 | TU Darmstadt | Andreas Hülsing | 10
Efficient
Minimal security assumptions
„Small signatures"
Forward secure
Full smartcard implementation
Contribution
Chapter 3New Variants of the Winternitz One Time Signature Scheme• WOTS+ & WOTS$
Chapter 4XMSS • „A practical, forward secure
signature scheme based on minimal security assumptions“
Chapter 5XMSSMT
• „XMSS with Virtually Unlimited Signature Capacity”
Chapter 6 Choosing Optimal Parameters for XMSS∗
Chapter 7XMSS∗ in Practice• Implementation• Experimental results (CPU &
smartcard)
23.09.2013 | TU Darmstadt | Andreas Hülsing | 11
Chapter 3
New Variants of the Winternitz One Time Signature Scheme
23.09.2013 | TU Darmstadt | Andreas Hülsing | 12
OTS
Winternitz OTS (WOTS) [Mer89; EGM96]
| | = | | = m * | |
1. = f( )
2. Trade-off between runtime and signature size | | ~ m/log w * | |
SIG = (i, , , , , )
23.09.2013 | TU Darmstadt | Andreas Hülsing | 13
Function family:
Formerly:
WOTS+
For w ≥ 2 select R = (r1, …, rw-1)
WOTSFunction Chain
c0(x) = x
c1(x) = cw-1 (x)
}}1,0{|}1,0{}1,0{:{ 'nnnKn KF F
'1 }1,0{,}1,0{ nwn K
ri
KF
23.09.2013 | TU Darmstadt | Andreas Hülsing | 14
)( 1rxFK
'1 }1,0{,)())(()( n
timesi
KKKi
Ki KxFFFxcFxc
))(()( 1i
iK
i rxcFxc ci-1 (x) ci (x)
Winternitz parameter w, security parameter n, message length m, function family
Key Generation: Compute l , sample K, sample R
WOTS+
[Hül13]
c0(skl ) = skl
c1(skl ) pkl = cw-1(skl )
}}1,0{|}1,0{}1,0{:{ 'nnnKn KF F
c0(sk1) = sk1
c1(sk1)
pk1 = cw-1(sk1)
23.09.2013 | TU Darmstadt | Andreas Hülsing | 15
WOTS+ Signature generation
M
b1 b2 b3 b4 … … … … … … … bl 1 bl 1+1 bl 1+2 … … bl
C
c0(skl ) = skl
pkl = cw-1(skl )
c0(sk1) = sk1pk1 = cw-1(sk1)
σ1=cb1(sk1)
σl =cbl (skl )
23.09.2013 | TU Darmstadt | Andreas Hülsing | 16
Main result
Theorem 3.9 (informally):W-OTS+ is strongly unforgeable under chosen message attacks if F
is a 2nd-preimage resistant, undetectable one-way function family
23.09.2013 | TU Darmstadt | Andreas Hülsing | 17
Security ProofReduction
23.09.2013 | TU Darmstadt | Andreas Hülsing | 18
Intuition
Oracle Response: (σ, M); M →(b1,…,bl ) Forgery: (σ*, M*); M* →(b1*,…, bl*)
Observations:1.Checksum: 2. Verification cw-1-bα*
(σ*α) = pkα = cw-1-bα (σα)
“quasi-inversion”
bbthsl *..},..,1{
c0(skα) = skα
pkασα
pk*ασ*α
=
??????? !?
23.09.2013 | TU Darmstadt | Andreas Hülsing | 19
Intuition, cont‘d
Oracle Response: (σ, M); M →(b1,…,bl ) Forgery: (σ*, M*); M* →(b1*,…, bl*)
Given:“quasi-inversion” of c
c0(skα) = skα
pkασα
σ*α
β
second-preimage
rβ
KF
preimage
23.09.2013 | TU Darmstadt | Andreas Hülsing | 20
Result
Old [DSS05]
CR, UD, OW Fn
Cryptomania
|Sig| = l *2b
WOTS$[BDEHR11]
PRF Fn
Minicrypt
|Sig| = l *(b+w)
WOTS+[Hül13]
SPR, UD, OWFn
Conj. Minicrypt
|Sig| = l *(b+log w)
23.09.2013 | TU Darmstadt | Andreas Hülsing | 21
Chapter 4
XMSS
23.09.2013 | TU Darmstadt | Andreas Hülsing | 22
XMSS[BDH11]
Lamport-Diffie / WOTS WOTS+ / WOTS$
Tree construction [DOTV08]
Pseudorandom key generation
H biH
PRG
PRG
PRG
PRG
PRG
FSPRG FSPRG FSPRG FSPRG FSPRG
23.09.2013 | TU Darmstadt | Andreas Hülsing | 23
Result
SPR-MSS [DOTV08]
Minicrypt
FSS
|SK| = 2h+1bm + TTA
|SIG|~2bm + hb
GMSS (Single Tree)[BDK+07]
Cryptomania
Not FSS
|SK| = b + TTA
|SIG|~2b(m/log w) + h2b
XMSS[BDH11]
Minicrypt
FSS
|SK| = b + TTA
|SIG|~ b(m/log w) + hb
23.09.2013 | TU Darmstadt | Andreas Hülsing | 24
Chapter 7
XMSS* in Practice
23.09.2013 | TU Darmstadt | Andreas Hülsing | 25
XMSS ImplementationsC Implementation
C Implementation, using OpenSSL [BDH2011] Sign (ms)
Verify (ms)
Signature (bit) Public Key (bit)
Secret Key (byte)
Bit Security Comment
XMSS-SHA-2 35.60 1.98 16,672 13,600 3,364 157 h = 20,w = 64,
XMSS-AES-NI 0.52 0.07 19,616 7,328 1,684 84 h = 20,w = 4
XMSS-AES 1.06 0.11 19,616 7,328 1,684 84 h = 20,w = 4
RSA 2048 3.08 0.09 ≤ 2,048 ≤ 4,096 ≤ 512 87
Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz with Intel AES-NI
23.09.2013 | TU Darmstadt | Andreas Hülsing | 26
XMSS ImplementationsSmartcard Implementation
Sign (ms)
Verify (ms)
Keygen(ms)
Signature (byte)
Public Key (byte)
Secret Key (byte)
Bit Sec. Comment
XMSS 134 23 925,400 2,388 800 2,448 92 H = 16,w = 4
XMSS+ 106 25 5,600 3,476 544 3,760 94 H = 16,w = 4
RSA 2048
190 7 11,000 ≤ 256 ≤ 512 ≤ 512 87
Infineon SLE78 16Bit-CPU@33MHz, 8KB RAM, TRNG, sym. & asym. co-processor
NVM: Card 16.5 million write cycles/ sector, XMSS+ < 5 million write cycles (h=20)
[HBB12]
23.09.2013 | TU Darmstadt | Andreas Hülsing | 27
Conclusion
23.09.2013 | TU Darmstadt | Andreas Hülsing | 28
Conclusion
23.09.2013 | TU Darmstadt | Andreas Hülsing | 29
Efficient
Minimal security assumptions
„Small signatures"
Forward secure
Full smartcard implementation
Future Work
23.09.2013 | TU Darmstadt | Andreas Hülsing | 30
FSS in the wildStatefullness in Practice
Stateless SignaturesFew-time WOTS
Thank you!Questions?
Publications[1] J. Buchmann, E. Dahmen, S. Ereth, A. Hülsing, and M. Rückert. On
the security of the Winternitz one-time signature scheme. In A. Nitaj and D. Pointcheval (Eds), Africacrypt 2011, LNCS 6737, pp 363-378. Springer Berlin / Heidelberg, 2011.
[2] J. Buchmann, E. Dahmen, and A. Hülsing. XMSS - a practical forward secure signature scheme based on minimal security assumptions. In Bo-Yin Yang (Ed), Post-Quantum Cryptography, LNCS 7071, pp 117-129. Springer Berlin / Heidelberg, 2011.
[3] A. Hülsing, A. Petzoldt, M. Schneider, and S.M. El Yousfi Alaoui. Postquantum Signaturverfahren Heute. In Ulrich Waldmann (Ed), 22. SIT-Smartcard Workshop 2012, IHK Darmstadt, Feb 2012. Fraunhofer Verlag Stuttgart.
[4] A. Hülsing, C. Busold, and J. Buchmann. Forward secure signatures on smart cards. In Lars R. Knudsen and Huapeng Wu (Eds), Selected Areas in Cryptography, LNCS 7707, pp 66–80. Springer Berlin Heidelberg, 2013.
[5] J. Braun, A. Hülsing, A. Wiesmaier, M. A. G. Vigil, and J. Buchmann. How to avoid the breakdown of public key infrastructures - forward secure signatures for certificate authorities. In S. Capitani di Vimercati and C. Mitchell (Eds), EuroPKI 2012, LNCS 7868, pp 53-68. Springer Berlin Heidelberg, 2013.
[6] J. Buchmann, E. Dahmen, S. Ereth, A. Hülsing, and M. Rückert. On the security of the Winternitz one-time signature scheme. Journal of Applied Cryptography, 3(1):84–96, 2013.
[7] A. Hülsing. W-OTS+ — shorter signatures for hash-based signature schemes. In A.Youssef, A. Nitaj, and A.E. Hassanien (Eds), Africacrypt 2013, LNCS 7918, pp 173–188. Springer Berlin Heidelberg, 2013.
[8] M. M. Olembo, T. Kilian, S. Stockhardt, A. Hülsing, and M. Volkamer. Developing and testing a visual hash scheme. In N. Clarke, S.Furnell, and V.Katos (Eds), Proceedings of the European Information Security Multi-Conference (EISMC 2013). Plymouth University, April 2013.
[9] P. Weiden, A. Hülsing, D. Cabarcas, and J. Buchmann. Instantiating treeless signature schemes. Cryptology ePrint Archive, Report 2013/065, 2013. http://eprint.iacr.org/.
[10] A. Hülsing, J. Braun. Langzeitsichere Signaturen durch den Einsatz hashbasierter Signaturverfahren. In Tagungsband zum 13. Deutschen IT-Sicherheitskongress 2013, Herausgeber: BSI, Secu-Media Verlag, Gau-Algesheim, 2013.
[11] J. Braun, M. Horsch, A. Hülsing. Effiziente Umsetzung des Kettenmodells unter Verwendung vorwärtssicherer Signaturverfahren. In Tagungsband zum 13. Deutschen IT-Sicherheitskongress 2013, Herausgeber: BSI, Secu-Media Verlag, Gau-Algesheim, 2013.
[12] A. Hülsing, L. Rausch, and J. Buchmann. Optimal parameters for XMSSMT. In A. Cuzzocrea, C. Kittl, D. E. Simos, E. Weippl, and L. Xu, (Eds), Security Engineering and Intelligence Informatics, LNCS 8128, pp 194–208. Springer Berlin Heidelberg, 2013.
[13] J. Buchmann, D. Cabarcas, F. Göpfert, A. Hülsing, and P. Weiden. Discrete ziggurat: A time-memory trade-off for sampling from a gaussian distribution over the integers. In Selected Areas in Cryptography 2013 (SAC’13), to appear.
[14] J. Braun, F. Kiefer, and A. Hülsing. Revocation & non-repudiation: When the first destroys the latter. In EuroPKI 2013, to appear.
Quantum Computing Progress
IBM 2012: “Scientists at IBM Research … have achieved major advances in quantum computing
device performance that may accelerate the realization of a practical, full-scale quantum computer.“
23.09.2013 | TU Darmstadt | Andreas Hülsing | 33
Chapter 5
XMSSMT
23.09.2013 | TU Darmstadt | Andreas Hülsing | 34
i
j
Tree Chaining [BGD+06,BDK+07]
Improved distributed signature generation [HBB12,HRB13]
)2()2(: / dhhKG OOt
23.09.2013 | TU Darmstadt | Andreas Hülsing | 35
Result
GMSS [BDK+07]
Cryptomania
Not FSS
tSIG = h/2=Σ hi/2
XMSSMT[HBB12,HRB13]
Minicrypt
FSS
tSIG = h0/2
23.09.2013 | TU Darmstadt | Andreas Hülsing | 36
Security Level aka. Bit Security
Exact Proof:
„ In general, a cryptographic system offers security level λ if a successful generic attack can be expected to require effort approximately 2λ−1. “ [Len04]
Solve for t:
Using = =
21
n
t2
23.09.2013 | TU Darmstadt | Andreas Hülsing | 37
Security Level aka. Bit Security(Quantum Case)
Exact Proof:
„ In general, a cryptographic system offers security level λ if a successful generic attack can be expected to require effort approximately 2λ−1. “ [Len04]
Solve for t:
Using = =
21
2/2n
t
23.09.2013 | TU Darmstadt | Andreas Hülsing | 38
n
t2
EU-CMA for OTS
PK, 1n
SIGN
SK
M
(σ, M)
(σ*, M*) Success if M* ≠ M and Verify(pk,σ*,M*) = Accept
23.09.2013 | TU Darmstadt | Andreas Hülsing | 39
Quantum-secure Signatures
PK, 1n
SIGN
SK
mm m
mm m m ,
q-times
11},{ q
mi im :)])(1,1[,(ifSuccess, jiqji
1),,Verify(pkand imiji mmm
23.09.2013 | TU Darmstadt | Andreas Hülsing | 40
BDS-Tree Traversal[BDS08]
Computes authentication paths
Store most expensive nodes
h
# 2h-1
# 2h-2
k
Left nodes are cheap Distribute costs
(h-k)/2 updates per round
23.09.2013 | TU Darmstadt | Andreas Hülsing | 41
Target-collision resistant HFF
One-way FF
XMSS
Pseudorandom FF
Second-preimage resistant HFF
Minimal Security Assumptions
Digital signature scheme
[Rom90]
Pseudorandom Generator
[GGM86]
[NaYu89][Rom90]
[HILL99]
23.09.2013 | TU Darmstadt | Andreas Hülsing | 42
From Fixed to Arbitrary Length Messages
23.09.2013 | TU Darmstadt | Andreas Hülsing | 43
„Hash and Sign“Collision-
Resistant HFF
Efficient Cryptomania
Target Collision-Resistant HFF
Inefficient Minicrypt
Minimal Security Assumptions - Why?
23.09.2013 | TU Darmstadt | Andreas Hülsing | 44
Theory: Nice
Practice:Weaker
Assumption Stronger Security
Smaller Signatures
Attack:Weaker
AssumptionHarder to
attackAttack less
likely“Early
Warning”
… BUT WAIT !
23.09.2013 | TU Darmstadt | Andreas Hülsing | 45
CR for Chosen Message AttacksRandom Message Attacks: only SPRActive Signing:
CMAStored Messages:
RMAIf CR broken: Change HFF
02.12.2011 | TU Darmstadt | A. Huelsing | 46
Hash function &PRF
Use plain AES for PRF
Use AES with Matyas-Meyer-Oseas in Merkle-Damgård mode for hash function
}}1,0{|}1,0{}1,0{:{ nnnKn KF F